When it comes to any sort of sensitive information the best advice if you don’t want the whole world to know about it is to never use an unsecured publically accessible ad hoc wireless network service.
Publicly Accessible Ad Hoc Wireless Networks
The above adage/advice holds true for most wireless (and wired) network locations and circumstances and not just publically accessible ad hoc wireless networks. Wireless access from within your network’s security perimeter must be included as well. You just never know who is eavesdropping or who would like to make unauthorized use of your network for their own ends.
Unfortunately in the real world users are very unlikely to adopt this drastic (from the user’s perspective) type of an approach so alternatives need to be found and implemented. It is important that when desired options are deemed to be the preferred method of connectivity that all users be brought up to speed as quickly as possible. One must also ensure that they actually use the solution(s).
The solutions that I will discuss here are based around encryption, tunneling protocols, Virtual Private Networking (VPNs) and remote access technologies. The goals that implementing these technologies will deliver include confidentiality, integrity, authentication and the protection of Personally Identifiable Information (PII).
Some of the strategies used include user education and awareness along with the implementation of multiple layers of defenses. The first step in ensuring compliance is through education. Users generally tend to be very reticent to adopt new technologies when the more they are currently using works just fine (from their perspective). What we have holding our users back here is a case best described as being “a fear of the unknown”.
Develop a Security Conscious Culture
User education is essential to the development and fostering of a security conscious environment regardless of location and circumstance. Everybody must do their bit if an organization is to realize the benefits of a security conscious environment. Researchers have shown time and time again that a security “aware” organization is much harder to for would-be attackers to penetrate.
In order to streamline the process of information dissemination as well as to clearly define what is required of everybody from both the individual’s and the group’s perspective the development and implementation of appropriate wireless usage security policies is critical. Knowledgeable users are far less prone to falling victim of social engineering tactics. It is also important that wireless users be kept “in the loop”. This means that you should update and communicate with your users whenever issues arise. Statistics gathered over the years consistently show that what affects one user in all likelihood is capable of affecting them all. Always adopt a policy of keeping insiders in and outsiders out.
Because attackers have a whole host of tools and utilities at their disposal it is unrealistic and very unlikely to expect any preventative regime or countermeasures implemented as part of a “single stroke” strategy are ever likely to suffice. Thus, security initiatives need to be designed and implemented as a suite of tools and strategies. Realizing that reducing exposure to malicious intentions and malware is best achieved through the deployment of a suite of security initiatives is but the first step in the design and implementation of a resilient, robust and highly secure environment regardless of the precise nature of said environment.
With regards to a suite of tools; we in the trade refer to those situations in which having more than one tool to address different vulnerabilities, risk and threat aspects at multiple points of potential susceptibility as Security-in-Depth. It is this ethos that we are going to adopt and implement in our endeavors to fortify wireless network security.
Unified Communications (UC)
With the continuing trend toward Unified Communications (UC) we find that it is no longer possible to fully compartmentalize and isolate communications, computers, computer systems, applications, networks, the Internet and local networking as we have in the past. The network designs and production environment implementations of today must take security initiatives and compatibility issues into consideration at all stages of development while providing support for a multiplicity of features, objectives and interactions.
Undoubtedly; the most common desirable targets for information thieves are Personally Identifiable Information (PII) and authorization/authentication credentials. After the theft or otherwise acquisition of this information it is nearly always the perpetrators intent to commit a whole bunch of additional crimes. Financial fraud and unauthorized access to network resources or the sensitive information held by an organization with a view to further felonious activities being the most common.
Here are some of the types of personal information/credentials that commonly come under fire: Account Login Names, Passwords (for authentication purposes), Banking and/or Credit Card Details, Tax File Number, Social Security Number, Residential Address Details, Phone Numbers etc are all highly prized by information thieves. Health Records, Passport Details, Driver’s License and Registration Forms are also sought after but not quite on the same scale
Personally Identifiable Information (PII) Web Browser Storage and Access
Permitting your Web browser to remember your Personally Identifiable Information (PII) opens the door for hackers to compromise your assets. It is very easy to retrieve this sensitive information particularly in the event that your wireless-enabled device is stolen.
If you do not want everybody else on the planet to know the explicit details of your every wireless online transaction; then do not do it. Although this may seem self-evident, take note that the interception of online transactions still constitutes a major component of the tools and strategies used in the effective and efficient breaching and subsequent compromise of an organization’s security initiatives at all levels.
Virtual Private Networks (VPN)
There are a number of potential VPN solutions from which to choose that come in a different flavors. Point-to-Point VPNs are used mostly when an organization or individuals for that matter wish to connect using a public medium such as the Internet. PPPTP and L2TP are two of the more common protocols used for these types of connections. Basically end-to-end connections are negotiated and once established all information passing between the endpoints is encrypted.
Web Based SSL VPN Solutions
Numerous web services currently provide SSL VPN solutions. An encrypted tunnel between your device and the provider of the SSL VPN solution’s servers is established. You are now free to surf the net. Note that this solution only applies to web based applications. Once the connection has been established all traffic generated from or returned to a wireless device is now fully encrypted by default.
Some of these web based SSL VPN solutions include TOR, Megaproxy and IronKey. The IronKey solution for example uses a secure USB flash drive. Once wireless Internet access becomes available it is capable of establishing and auto-configuring a secure SSL VPN tunnel once wireless Internet access becomes available.
Remote Access Applications
Since web based SSL VPN solutions only apply to web based applications another solution is required to deal with email applications such as Microsoft Outlook which means that a full feature rich VPN solution is necessary. The VPN tunnel will allow authorised personal to connect to the home or office networks remotely. Now the company network will take care of all the normal business applications, file sharing, and Internet access. The advantage of using remote access applications is that no sensitive data travels over questionable networks.
The basic idea here is that specialty software allows you to control remote devices. The devices can be located anywhere. The only proviso being that they have Internet connectivity 24/7 if you want to access or control them 24/7. An SSL tunnel is established. Then the remote access session takes place through it. Web surfing, e-mail, and other applications are active only on the remote computer. LogMeIn and MioNet are two applications that deliver this type service.
Secure Anonymous Web Surfing
Whenever possible make sure that you use secure and anonymous web surfing practices. This takes on greater importance when a Virtual Private Network (VPN) service is not being used or available. Safe web surfing practices help to minimize your risk exposure in the event of incorrect Virtual Private Network (VPN) configuration.